PowerFlex: 4.X Outdated DES/3DES Ciphers In TLS/SSL On Port 6443

CVE-2016-2183

Monitoring tools may detect an increase in encrypted network traffic, particularly involving DES/3DES ciphers, which is atypical for regular operations. The PowerFlex system consistently fails certain security scans, especially those targeting encryption protocols, indicating the use of vulnerable DES/3DES ciphers.

In PFxM, the  kube-API pod listens on port 6443. 

4-5-mvm1:~ # ss -anp |grep 6443 |grep LIST
tcp           LISTEN             0               128                                                                            *:6443                                       *:*               users:(("kube-apiserver",pid=31133,fd=7))

Impact

Due to this vulnerability, the PowerFlex system fails to meet security compliance standards as evidenced by its inability to pass security assessments, such as Qualys scans.

The core issue stems from implementing the DES/3DES cipher within the TLS/SSL protocol in the PowerFlex system. DES (Data Encryption Standard) and 3DES (Triple DES) are encryption algorithms with known vulnerabilities and are considered outdated and insecure for modern cryptographic standards. In CVE-2016-2183, the flaw lies in how these ciphers are used in the encryption process, making them susceptible to specific types of cryptographic attacks. This vulnerability allows a man-in-the-middle attacker to intercept and decrypt portions of the data transmitted between the server and client, undermining the security of the communication.

https://access.redhat.com/security/cve/cve-2016-2183

https://www.cve.org/CVERecord?id=CVE-2016-2183

Workaround

Upgrade PFxM to version 4.5.2 or higher. 

Impacted Versions

PFxM versions 4.5.1.x and lower

Fixed In Version

PFxM versions 4.5.2 and higher